b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n Information Technology Management Letter\n      for the United States Coast Guard\n   Component of the FY 2008 DHS Financial\n               Statement Audit\n\n                                           (Redacted)\n\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public\n release. A review under the Freedom of Information Act will be conducted upon request.\n\n\n\n\nOIG-09-47                                                                                      March 2009\n\x0c                                                                        Office of Inspector General\n\n                                                                        U.S. Department of\n                                                                        Homeland Security\n                                                                        Washington, DC 20528\n\n\n\n\n                                   March 27, 2009\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThis report presents the information technology (IT) management letter for the United States\nCoast Guard (CG) component of the FY 2008 DHS financial statement audit as of September\n30, 2008. It contains observations and recommendations related to information technology\ninternal control that were not required to be reported in the financial statement audit report\n(OIG-09-09, November 2008) and represents the separate restricted distribution report\nmentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed\nthe audit of CG\xe2\x80\x99s FY 2008 financial statements and prepared this IT management letter.\nKPMG is responsible for the attached IT management letter dated December 5, 2008, and the\nconclusions expressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or\ninternal control or make conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We trust\nthis report will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\nDecember 5, 2008\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nU.S. Coast Guard\n\nChief Financial Officer\nU.S. Coast Guard\n\nLadies and Gentlemen:\n\nWe were engaged to audit the accompanying consolidated balance sheet of the U.S. Department of\nHomeland Security (DHS) as of September 30, 2008, and the related statement of custodial activity for\nthe year then ended (referred to herein as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were not engaged to audit the\nstatements of net cost, changes in net position, and budgetary resources for the year ending September 30,\n2008 (referred to herein as \xe2\x80\x9cother financial statements\xe2\x80\x9d). Because of matters discussed in our Independent\nAuditors\xe2\x80\x99 Report, dated November 14, 2008, the scope of our work was not sufficient to enable us to\nexpress, and we did not express, an opinion on the financial statements.\nIn connection with our fiscal year (FY) 2008 engagement, we considered Coast Guard\xe2\x80\x99s internal control\nover financial reporting by obtaining an understanding of Coast Guard\xe2\x80\x99s internal control, determining\nwhether internal controls had been placed in operation, assessing control risk, and performing tests of\ncontrols in order to determine our procedures. We limited our internal control testing to those controls\nnecessary to achieve the objectives described in Government Auditing Standards and Office of\nManagement and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial\nStatements. We did not test all internal controls relevant to operating objectives as broadly defined by\nthe Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA). The objective of our engagement was\nnot to provide an opinion on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting.\nAccordingly, we do not express an opinion on the effectiveness of DHS\xe2\x80\x99 internal control over financial\nreporting. Further, other matters involving internal control over financial reporting may have been\nidentified and reported had we been able to perform all procedures necessary to express an opinion on\nthe DHS balance sheet as of September 30, 2008, and the related statement of custodial activity for the\nyear then ended, and had we been engaged to audit the other FY 2008 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination of\ncontrol deficiencies, that adversely affects DHS\xe2\x80\x99 ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with U.S. generally accepted accounting principles such that there is\nmore than a remote likelihood that a misstatement of DHS\xe2\x80\x99 financial statements that is more than\ninconsequential will not be prevented or detected by DHS\xe2\x80\x99 internal control over financial reporting. A\nmaterial weakness is a significant deficiency, or combination of significant deficiencies, that results in\nmore than a remote likelihood that a material misstatement of the financial statements will not be\nprevented or detected by the entity\xe2\x80\x99s internal control.\nDuring our audit engagement, we noted certain matters in the area of application software development\nand change control with respect to Coast Guard\xe2\x80\x99s financial systems Information Technology (IT) general\n\n\n\n                                    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                    member firm of KPMG International, a Swiss cooperative.\n\x0ccontrols which we believe contribute to a DHS-level significant deficiency that is considered a material\nweakness in IT general and application controls. These matters are described in the IT General Control\nFindings by Audit Area section of this letter.\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2008. This letter represents the separate restricted distribution report mentioned in that\nreport.\nAlthough not considered to be material weaknesses, we also noted certain other matters during our audit\nengagement which we would like to bring to your attention. These matters are also described in the IT\nGeneral Control Findings by Audit Area section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand is intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you. We\nhave not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key Coast Guard financial systems and information technology infrastructure\nwithin the scope of the FY 2008 DHS financial statement audit in Appendix A; a description of each\ninternal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our\ncomments related to financial management and reporting internal controls have been presented in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer dated December 5,\n2008.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of Inspector\nGeneral, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be\nand should not be used by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                             Department of Homeland Security\n\n                                United States Coast Guard \n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n                 INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                     TABLE OF CONTENTS \n\n                                                                                              Page\n\n\nObjective, Scope and Approach                                                                  1\n\n\nSummary of Findings and Recommendations                                                        2\n\n\nInformation Technology General Control Findings by Audit Area                                  3\n\n\n Findings Contributing to a Material Weakness in IT General Controls                           3\n\n\n   Application Software Development and Change Controls                                        3\n\n\n Other Findings in IT General Controls                                                         4\n\n\n   Access Controls                                                                             4\n\n\n   Entity-Wide Security Program Planning and Management                                        4\n\n\n   Service Continuity                                                                          5\n\n\nApplication Control Findings                                                                   7\n\n\nManagement Comments and OIG Response                                                           7\n\n                                         APPENDICES\n\n\n    Appendix                                        \tSubject                                  Page\n\n\n                     Description of Key Coast Guard Financial Systems and IT Infrastructure\n        A\t                                                                                     8\n                     within the Scope of the FY 2008 DHS Financial Statement Audit\n\n\n\n        B            FY 2008 Notices of IT Findings and Recommendations at Coast Guard         11\n\n\n\n\n                     Status of Prior Year Notices of Findings and Recommendations and\n        C\t           Comparison to Current Year Notices of Findings and Recommendations        25\n\n                     at Coast Guard \n\n\n\n\n        D\t           Management Comments                                                       35\n\n\x0c                                 Department of Homeland Security\n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n                         OBJECTIVE, SCOPE AND APPROACH\n\nWe were engaged to perform an audit of Department of Homeland Security (DHS) Information\nTechnology (IT) general controls in support of the fiscal year (FY) 2008 DHS balance sheet and\nstatement of custodial activity audit engagement. The overall objective of our engagement was to\nevaluate the effectiveness of IT general controls of DHS\xe2\x80\x99 financial processing environment and related IT\ninfrastructure as necessary to support the engagement. The Federal Information System Controls Audit\nManual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our\naudit. The scope of the Coast Guard IT general controls assessment is described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating general controls and the IT environment of a federal\nagency. FISCAM defines the following six control functions to be essential to the effective operation of\nthe general IT controls environment.\n\n\xef\xbf\xbd\t Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a framework\n   and continuing cycle of activity for managing risk, developing security policies, assigning\n   responsibilities, and monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n   implementation of unauthorized programs or modifications to existing programs.\n\xef\xbf\xbd\t System software controls (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that\n   operate computer hardware and secure applications supported by the system.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed from within a select Coast\nGuard facility, and focused on test, development, and production devices that directly support Coast\nGuard\xe2\x80\x99s financial processing and key general support systems.\n\nApplication controls were not tested for the year ending September 30, 2008 due to the nature of prior-\nyear audit findings.\n\n\n\n\n                                                     1\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                 Department of Homeland Security\n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n             SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring fiscal year (FY) 2008, Coast Guard took corrective action to address nearly half of their prior year\nIT control weaknesses. For example, Coast Guard made improvements by implementing emergency\nresponse training for all Coast Guard                             personnel with data center access,\nverifying that all Coast Guard                                  personnel have completed exit forms upon\nseparation, and testing disaster recovery procedures. However, during FY 2008, we continued to identify\nIT general control weaknesses at Coast Guard. The most significant weaknesses from a financial\nstatement audit perspective related to the development, implementation, and tracking of scripts at\n         , and the design and implementation of configuration management policies and procedures at\n            These IT control weaknesses limited Coast Guard\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these weaknesses negatively impacted the internal controls over Coast Guard financial reporting\nand its operation and we consider them to collectively represent a material weakness for Coast Guard\nunder standards established by the American Institute of Certified Public Accountants (AICPA). In\naddition, based upon the results of our test work we noted that the Coast Guard did not fully comply with\nthe requirements of Federal Financial Management Improvement Act (FFMIA).\nOf the 22 findings identified during our FY 2008 testing, 21 were repeat findings, either partially or in\nwhole from the prior year, and 1 was a new IT finding. These findings represent weakness in four of the\nsix FISCAM key control areas. The FISCAM areas impacted included Application Software\nDevelopment and Change Controls, Access Controls, Service Continuity, and Entity-Wide Security\nProgram Planning and Management. The majority of the findings were inherited from the lack of\nproperly designed, detailed, and consistent guidance over financial system controls to enforce DHS\nSensitive System Policy Directive 4300A requirements and National Institute of Standards and\nTechnology (NIST) guidance. Specifically, the findings stem from 1) unverified access controls through\nthe lack of user access privilege re-certifications, 2) entity-wide security program issues involving civilian\nand contractor background investigation weaknesses, 3) inadequately designed and operating change\ncontrol policies and procedures, 4) patch and configuration management weaknesses within the system,\nand 5) the lack of updated disaster recovery plans which reflect the current environment identified\nthrough testing. These weaknesses may increase the risk that the confidentiality, integrity, and\navailability of system controls and Coast Guard financial data could be exploited thereby compromising\nthe integrity of financial data used by management and reported in the DHS financial statements.\nWhile the recommendations made by KPMG should be considered by Coast Guard, it is the ultimate\nresponsibility of Coast Guard management to determine the most appropriate method(s) for addressing\nthe weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                                      2\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                Department of Homeland Security\n\n                                   United States Coast Guard \n\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n             IT GENERAL CONTROL FINDINGS BY AUDIT AREA\nFindings Contributing to a Material Weakness in IT General Controls\n\nConditions: In FY 2008, the following IT and financial system control weaknesses were identified at the\nCoast Guard and contribute to a DHS-level significant deficiency that is considered a material weakness\nin IT general and application controls.\nApplication software development and change controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t For the data scripts run at Coast Guard\xe2\x80\x99s                , procedures over approval, testing, and\n       documentation requirements remain in draft form. The                            does not\n       consistently include all testing, approval, and implementation documentation for all scripts. In\n       addition, Coast Guard does not monitor scripts run in the database through audit logging and has\n       not developed a technical solution to monitor who accesses the database through\n       to run scripts or review what scripts are run.\n    \xef\xbf\xbd\t Coast Guard conducted an examination of the data scripts run with an external, independent\n       organization; however, due to the many limitations over scope, the analysis was incomplete.\n       Furthermore, the analysis did not properly evaluate scripts as to financial statement impact,\n       including current versus prior year effect.\n    \xef\xbf\xbd\t Coast Guard lacks a formal process to distinguish between the module lead approvers for script\n       approval requests.\n    \xef\xbf\xbd\t Procedures over software changes for the key financial applications during the development and\n       testing processes include multiple weaknesses.\n\n\nRecommendations: We recommend that the Coast Guard Chief Information Officer and Chief Financial\nOfficer, in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief\nInformation Officer, make the following improvements to Coast Guard\xe2\x80\x99s financial management systems\nand associated information technology security program:\n    \xef\xbf\xbd\t Implement and document in detail, a single, integrated script change control process that includes\n       clear lines of authority to Coast Guard financial and IT management personnel, enforced\n       responsibilities of all participants in the process, and documentation requirements.\n    \xef\xbf\xbd\t Continue efforts to complete an in-depth analysis of active scripts, with the following objectives:\n       All changes to active scripts and new scripts should be subject to an appropriate software change\n       control process, to include testing, reviews, and approvals, and should be reviewed for impact on\n       financial statement balances.\n    \xef\xbf\xbd\t Develop and implement change control policies and procedures to verify that all software changes\n       are approved, tested, documented, tracked, and reviewed prior to deploying the changes into the\n       production environment in accordance with DHS Sensitive System Policy Directive 4300A.\n\n\n\n\n                                                    3\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                 Department of Homeland Security\n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n\nOther Findings in IT General Controls\n\n\nAlthough not considered to be a material weakness, we also noted the following other matters related to\nIT and financial system control deficiencies during the FY08 audit engagement:\n1.\t Access controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Procedures surrounding the system used to track contracted personnel data have not been \n\n       formally documented. \n\n    \xef\xbf\xbd\t Procedures over the process of finalizing and implementing entity-wide processes for account\n       terminations and related notifications are still in draft and have not been implemented or\n       communicated.\n    \xef\xbf\xbd\t Security configuration management weaknesses exist on hosts supporting the key financial\n       applications and the underlying general support systems.\n    \xef\xbf\xbd\t Security patch management weaknesses exist on hosts supporting the key financial applications\n       and general support systems.\n    \xef\xbf\xbd\t Policies and procedures have not been developed and implemented for the manual periodic\n       review of audit logs for key financial systems.\n    \xef\xbf\xbd\t Access review procedures for key financial applications do not include the review of all user\n       accounts to ensure that all terminated individuals no longer have active accounts, that inactive\n       accounts are locked, and that privileges associated with each individual are still authorized and\n       necessary.\n    \xef\xbf\xbd\t Access control weaknesses identified during our IT testing also contributed to numerous instances\n       where access to data could lead to various incompatible function issues.\n    \xef\xbf\xbd\t Access request forms are not being completed for all financial system users on a consistent basis.\n\n\n2.\t Entity-wide security program planning and management \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Security configuration requirements were not implemented into contract language of a support\n       contractor.\n    \xef\xbf\xbd\t Policies or procedures have not been implemented to require that a favorably adjudicated \n\n       background investigation be completed for all contractor personnel.\n\n    \xef\xbf\xbd\t Background investigations for all civilian employees have not been completed and civilian\n       position sensitivity designations have not been determined in accordance with DHS guidance.\n    \xef\xbf\xbd\t A risk assessment for a major financial application has not been completed and the associated\n       System Security Plan remains in draft form.\n\n\n\n\n                                                     4\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                 Department of Homeland Security\n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n\n\n\n3. Service continuity \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t The            Continuity of Operations (COOP) Plan has not been updated to reflect the results of\n       testing and the division Business Continuity Plans have not been finalized.\n\n\nRecommendations: We recommend that the Coast Guard Chief Information Officer and Chief Financial\nOfficer, in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief\nInformation Officer, make the following improvements to Coast Guard\xe2\x80\x99s financial management systems\nand associated information technology security program.\n\n\nFor access controls:\n    \xef\xbf\xbd\t Develop procedures for the periodic review of the manual audit logs. In addition, ensure audit\n       log files are configured, retained, and archived in compliance with DHS policy.\n    \xef\xbf\xbd\t Develop and implement procedures to require a periodic review by supervisors of all financial\n       application and database user accounts and their associated privileges. These procedures should\n       include steps to verify that all terminated individuals no longer have active accounts, that inactive\n       accounts are locked and that privileges associated with each individual are still authorized and\n       necessary.\n    \xef\xbf\xbd\t Finalize the procedural documentation over contractor tracking and communicate/distribute the\n       procedures. In addition, continuously monitor controls over the contractor tracking system to\n       verify that contractor data within the system remains current and accurate.\n    \xef\xbf\xbd\t Actively monitor the use of and changes related to operating systems and other sensitive utility\n       software and hardware. Additionally, perform corrective actions on the specific patch and\n       configuration weaknesses identified.\n    \xef\xbf\xbd\t Implement an automated process/system that will notify system owners of terminated contractor,\n       military, and civilian personnel.\n    \xef\xbf\xbd\t Finalize and implement entity management policies and procedures for verifying that terminated\n       user accounts have been successfully removed.\n    \xef\xbf\xbd\t Develop and implement procedures to require an annual review of all financial application and\n       database user account privileges to verify that privileges remain up to date and proper segregation\n       of duties exists.\n    \xef\xbf\xbd\t Update procedures to ensure that a documented and approved access authorization request is\n       completed for each individual prior to granting him/her access to the key financial applications or\n       databases.\n\n\n\n\n                                                     5\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                 Department of Homeland Security\n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\nFor entity-wide security program planning and management:\n    \xef\xbf\xbd\t Create and implement contractor background investigation policies and procedures in order to\n       establish requirements and ensure compliance with DHS Sensitive System Policy Directive\n       4300A. This includes the verification that all contracts issued by the Coast Guard include the\n       appropriate Coast Guard position sensitivity designation requirements for contracted personnel.\n    \xef\xbf\xbd\t Perform initial background investigations and re-investigations for civilian employees in\n       accordance with position sensitivity designations at no less than the Moderate level as required by\n       DHS directives. In addition, conduct civilian background re-investigations every ten (10) years,\n       as required by DHS directives, to ensure that each employee has a favorably adjudicated and valid\n       Minimum Background Investigation.\n    \xef\xbf\xbd\t Finalize and implement the certification and accreditation C&A package for the key financial\n       systems in accordance with DHS and NIST guidance.\n\nFor service continuity:\n\n    \xef\xbf\xbd\t Update the COOP to include the results of its testing and finalize the applicable supporting\n       business continuity plans.\n\n\n\nCause/Effect: Many of these weaknesses were inherited from a system implementation in 2003 that did\nnot properly take into account all of the key Coast Guard business and functional processes, operational\nsupport procedures, and IT security requirements; policies and procedures that were outdated, lacking,\nor contradictory; and a lack of consistent and proper monitoring and enforcement by Coast Guard\nmanagement of the IT policies and procedures that are in place.\n\nReasonable assurance should be provided that financial system user access levels are limited and\nmonitored for appropriateness and that all user accounts belong to current employees. The weaknesses\nidentified within Coast Guard\xe2\x80\x99s access controls increase the risk that employees and contractors may have\naccess to a system that is outside the realm of their job responsibilities or that a separated individual, or\nanother person with knowledge of an active account of a terminated employee, could use the account to\nalter the data contained within the application or database. This may also increase the risk that the\nconfidentiality, integrity, and availability of system controls and the financial data could be exploited\nthereby compromising the integrity of financial data used by management and reported in the DHS\nfinancial statements.\n\nFurthermore, the lack of documented security configuration management controls may result in security\nresponsibilities communicated to system developers improperly as well as the improper implementation\nand monitoring of system changes. This also increases the risk of unsubstantiated changes as well as\nchanges that may introduce errors or data integrity issues that are not easily traceable back to the changes.\nIn addition, it increases the risk of undocumented and unauthorized changes to critical or sensitive\ninformation and systems. This may reduce the reliability of information produced by these systems.\n\n\n\n\n                                                      6\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                 Department of Homeland Security\n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources,\nand various NIST guidelines describe specific essential criteria for maintaining effective general IT\ncontrols. In addition, OMB Circular No. A-127 prescribes policies and standards for executive\ndepartments and agencies to follow in developing, operating, evaluating, and reporting on financial\nmanagement systems. FFMIA sets forth legislation prescribing policies and standards for executive\ndepartments and agencies to follow in developing, operating, evaluating, and reporting on financial\nmanagement systems. The purpose of FFMIA is: (1) to provide for consistency of accounting by an\nagency from one fiscal year to the next, and uniform accounting standards throughout the Federal\nGovernment; (2) require Federal financial management systems to support full disclosure of Federal\nfinancial data, including the full costs of Federal programs and activities; (3) increase the accountability\nand credibility of federal financial management; (4) improve performance, productivity and efficiency of\nFederal Government financial management; and (5) establish financial management systems to support\ncontrolling the cost of Federal Government. In closing, for this year\xe2\x80\x99s IT audit we assessed the DHS\ncomponent\xe2\x80\x99s compliance with DHS Sensitive System Policy Directive 4300A.\n\n\n\n                         APPLICATION CONTROL FINDINGS\n\n\nApplication controls were not tested for the year ending September 30, 2008 due to the nature of the\nprior-year audit findings.\n\n\n               MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the Coast Guard management. Generally,\nthe Coast Guard agreed with all of our findings and recommendations. The Coast Guard has developed a\nremediation plan to address these findings and recommendations. We have incorporated these comments\nwhere appropriate and included a copy of the comments at Appendix D.\n\nOIG Response\n\n\nWe agree with the steps that Coast Guard management is taking to satisfy these\nrecommendations.\n\n\n\n\n                                                     7\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                                                             Appendix A\n\n                           Department of Homeland Security\n\n                              United States Coast Guard\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                    Appendix A \n\n\n     Description of Key Coast Guard Financial Systems and IT \n\n   Infrastructure within the Scope of the FY 2008 DHS Financial \n\n                          Statement Audit \n\n\n\n\n\n                                            8\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                                                                             Appendix A\n\n                                Department of Homeland Security\n\n                                   United States Coast Guard\n\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n\n   Below is a description of significant Coast Guard financial management systems and supporting\n   Information Technology (IT) infrastructure included in the scope of the engagement to perform the\n   financial statement audit.\n\n   Locations of Audit: Coast Guard                                     ; the Coast Guard\n                                       ; the                                  in \n\n             ; and the \n                       (     ) in                .\n\n\n   Key Systems Subject to Audit:\n   \xef\xbf\xbd                                                            that is the principal general ledger for\n       recording financial transactions for the Coast Guard.      is hosted at            the Coast\n       Guard\xe2\x80\x99s primary data center. It is a customized version of         Financials.\n   \xef\xbf\xbd                                            Used to create and post obligations to the\n                         . It allows users to enter funding, create purchase requests, issue procurement\n       documents, perform system administration responsibilities, and reconcile weekly program\n       element status reports.      is interconnected with the       system and is hosted at         .\n   \xef\xbf\xbd                                              Document image processing system, which is\n       integrated with an                      relational database.        allows electronic data and\n       scanned paper documents to be imaged and processed for data verification, reconciliation and\n       payment.         utilizes         software to scan documents and to view the images of\n       scanned documents and to render images of electronic data received. This system is hosted at\n\n   \xef\xbf\xbd              A commercial product used to reconcile payment information retrieved from the\n       United States Department of the Treasury. It reconciles transaction items that Treasury has\n       processed to transaction items Coast Guard has sent to Treasury. This system is hosted at\n               .\n   \xef\xbf\xbd                                                                                          Database\n       maintained at         . Information from       is uploaded to this instance monthly with other\n       Coast Guard general ledger balances. After reconciliation and adjustment, balancing information\n       is uploaded into           .\n   \xef\xbf\xbd                                                                application, hosted at     , used for\n       paying Coast Guard active and reserve personnel payroll.\n   \xef\xbf\xbd                                                        Formerly named the\n                            ,         is hosted at              is the primary financial application for\n       the                                           the             , and the Coast Guard            .\n\n\n\n\n                                                     9\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                                                                        Appendix A\n\n                               Department of Homeland Security\n\n                                  United States Coast Guard\n\n                           Information Technology Management Letter\n                                      September 30, 2008\n\n   \xef\xbf\xbd                                Web-based application, hosted at       designed to automate the\n       management of Coast Guard\xe2\x80\x99s vessel logistics by supporting the following functions:\n       configuration, maintenance, supply and finance.\n\n\n\n\n                                                 10\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                                                                 Appendix B\n\n                            Department of Homeland Security\n\n                               United States Coast Guard\n\n                        Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                     Appendix B \n\n\nFY2008 Notices of IT Findings and Recommendations \xe2\x80\x93 Coast Guard\n\n\n\n\n\n                                           11\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                               Financial Statement Audit \n\n\x0c                                                                                                     Appendix B\n\n                                     Department of Homeland Security\n\n                                        United States Coast Guard\n\n                                 Information Technology Management Letter\n                                            September 30, 2008\n\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Risk Ratings**:\n\nThe Notices of Findings and Recommendations (NFR) were risk ranked as High, Medium, and Low** based\nupon the potential impact that each weakness could have on Coast Guard\xe2\x80\x99s information technology (IT) general\ncontrol environment and the integrity of the financial data residing on Coast Guard\xe2\x80\x99s financial systems, and the\npervasiveness of the weakness.\n\n** The risk ratings are intended only to assist management in prioritizing corrective actions, considering\nthe potential benefit of the corrective action to strengthen the IT general control environment and/or the integrity\nof the DHS consolidated financial statements. The risk ratings, used in this context, are not defined by\nGovernment Auditing Standards, issued by the Comptroller General of the United States, or the American\nInstitute of Certified Public Accountants (AICPA) Professional Standards, and do not necessarily correlate to a\nsignificant deficiency, as defined by the AICPA Standards and reported in our Independent Auditors\xe2\x80\x99 Report on\nthe consolidated balance sheet of DHS as of September 30, 2008, dated November 14, 2008.\n\nCorrection of some higher risk findings may help mitigate the severity of lower risk findings, and possibly\nfunction as a compensating control. In addition, analysis was conducted collectively on all NFRs to assess\nconnections between individual NFRs, which when joined together could lead to a control weakness occurring\nwith more likelihood and/or higher impact potential.\n\nHigh Risk**: A control weakness that is more serious in nature affecting a broader range of financial IT\nsystems, or having a more significant impact on the IT general control environment and /or the integrity of the\nfinancial statements as a whole.\n\nMedium Risk**: A control weakness that is less severe in nature, but in conjunction with other IT general\ncontrol weaknesses identified, may have a significant impact on the IT general control environment and / or the\nintegrity of the financial statements as a whole.\n\nLow Risk**: A control weakness minimal in impact to the IT general control environment and / or the integrity\nof the financial statements.\n\n\n\n\n                                                        12\n   Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                  Financial Statement Audit \n\n\x0c                                                                                 Appendix B\n\n                            Department of Homeland Security\n\n                               United States Coast Guard\n\n                        Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                       United States Coast Guard \n\n                    FY2008 Information Technology \n\n        Notification of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n\n\n                                           13\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                               Financial Statement Audit \n\n\x0c                                                                                                                                       Appendix B\n\n                                                  Department of Homeland Security\n\n                                                     United States Coast Guard\n\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                Department of Homeland Security\n\n                                                    United States Coast Guard \n\n                                                 FY2008 Information Technology \n\n                                     Notification of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n                                                                                                                               New     Repeat    Risk\nNFR #                             Condition                                                Recommendation\n                                                                                                                               Issue    Issue   Rating*\nCG-IT\xc2\xad   The                                           ) Continuity of     Update the COOP as the result of its testing and               X      Low\n08-01    Operations Plan (COOP) has not been updated to reflect the        finalize the applicable supporting Business\n         results of testing the COOP, and the Business Continuity          Continuity Plans.\n         Plans for each division have not been finalized.\nCG-IT\xc2\xad   During the first half of the fiscal year the contract with the    \xef\xbf\xbd   Enhance existing Configuration                            X       High\n08-06                                                                          Management/Change Management policies\n                         software vendor was still in place, and no            and procedures to explicitly address security\n         corrective action had taken place related to the prior year           configurations and software patches (e.g.,\n         recommendation. Therefore, the risk exists that the                   those associated with system/application\n         condition was present for the majority of the fiscal year             \xe2\x80\x9cbuilds\xe2\x80\x9d, service packs, and maintenance\n         (October 1, 2007 through April 1, 2008). However, due to              releases) to better ensure compliance with\n         the Coast Guard decision to terminate the contract with               DHS requirements and NIST guidance.\n         their software vendor and the Coast Guard                         \xef\xbf\xbd   Communicate with and educate affected\n         decision to suspend all Software Problem Reports (SPRs)               staff regarding these improved policies and\n         and Software Change Requests (SCRs), the condition did                procedures.\n         not exist beyond the date of these 2 events.\n                                                                           \xef\xbf\xbd   Develop, communicate, and implement\n                                                                               procedures to periodically review system\n                                                                               changes and system baselines.\nCG-IT\xc2\xad   We determined that Coast Guard\xe2\x80\x99s                                  \xef\xbf\xbd   Continue with the plans to upgrade the                    X          Low\n08-07                  has not implemented the following password\n         requirements:                                                         operating system in order to enforce password\n            \xef\xbf\xbd Passwords shall contain special characters                       complexity requirements to meet DHS\n            \xef\xbf\xbd Passwords shall not contain any dictionary word                  Sensitive System Policy Directive 4300A.\n            \xef\xbf\xbd Passwords shall not contain any proper noun or the           \xef\xbf\xbd   Continue to implement mitigating controls to\n\n\n\n                                                                          14\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                           Appendix B\n\n                                                  Department of Homeland Security\n\n                                                     United States Coast Guard\n\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                   New     Repeat    Risk\nNFR #                             Condition                                                 Recommendation\n                                                                                                                                   Issue    Issue   Rating*\n              name of any person, pet, child, or fictional character            reduce the risk of unauthorized individuals\n           \xef\xbf\xbd Passwords shall not contain any employee serial                    gaining access to the system.\n\n             number, Social Security number, birth date, phone \n            \xef\xbf\xbd   Educate all employees and contractors of DHS \n\n             number, or any information that could be readily \n                 Sensitive System Policy Directive 4300A \n\n             guessed about the creator of the password \n                        password requirements so they can set their\n           \xef\xbf\xbd Passwords shall not contain any simple pattern of                  passwords in accordance with policy despite \n\n             letters or numbers, such as \xe2\x80\x9cqwerty\xe2\x80\x9d or \xe2\x80\x9cxyz123\xe2\x80\x9d\n                  the systems inability to enforce them.\n           \xef\xbf\xbd Passwords shall not be any word, noun, or name\n\n             spelled backwards or appended with a single digit or \n\n             with a two-digit \xe2\x80\x9cyear\xe2\x80\x9d string, such as 98xyz123\n\n           \xef\xbf\xbd Passwords shall not be the same as the User ID\n\n         While compensating controls were implemented to reduce \n\n         the risk of unauthorized access, they unto themselves do not \n\n         remove the potential risk from occurring. \n\nCG-IT-   Coast Guard                 has developed but not yet              Create and implement contractor background                       X       High\n08-10    implemented policies and procedures to require that a              investigation policies and procedures in order to \n\n         favorably adjudicated background investigation be \n                establish requirements and ensure compliance with \n\n         completed for all contractor personnel. \n                          DHS Sensitive System Policy Directive 4300A.\n                                                                            This includes the verification that all contracts\n                                                                            issued by the Coast Guard include the appropriate\n                                                                            Coast Guard position sensitivity designation\n                                                                            requirements for contracted personnel.\nCG-IT-   Coast Guard                 has not finalized the Role-Based       \xef\xbf\xbd Continue efforts to finalize and implement the                 X      Medium\n08-14    Training for Coast Guard Information Assurance                         Role-Based Training for Coast Guard \n\n         Professionals Commandant Instruction, which will require \n             Information Assurance Professionals \n\n         all Coast Guard members, employees, and contractors with \n             Commandant Instruction which would require \n\n         significant IT security responsibilities to receive initial \n          personnel with significant information security\n\n         specialized training and annual refresher training thereafter.\n        responsibilities to complete specialized role-\n\n         The online Training Management Tool, which will track \n                based training on an annual basis. \n\n         compliance, will not be implemented until the Role-Based \n\n\n\n                                                                           15\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n\n                                                  Department of Homeland Security\n\n                                                     United States Coast Guard\n\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                  New     Repeat    Risk\nNFR #                             Condition                                                Recommendation\n                                                                                                                                  Issue    Issue   Rating*\n         Training is implemented.                                          \xef\xbf\xbd   Develop and deploy this specialized role-\n                                                                               based training throughout the Coast Guard.\n                                                                           \xef\xbf\xbd   Implement the use of the Training\n                                                                               Management Tool in order to track and verify\n                                                                               specialized role-based training requirements\n                                                                               compliance.\nCG-IT\xc2\xad   Until August 2008, configuration management weaknesses            Through our test work, we determined that   X the                           Low\n08-15    continue to exist on hosts supporting the Naval Electronics       prior year control weakness has been remediated\n                                                                           prior to the fiscal year-end; therefore, no\n                                                                           recommendation is required.\n\n\nCG-IT\xc2\xad   Although            has made significant progress in              Continue to use the currently implemented   X                               Low\n08-17    remediation, we were unable to verify that             is         mitigating controls for those DHS password\n         consistently remediating the vulnerabilities identified by the    requirements that cannot be enforced by the\n                        scans in order to make it an effective             system. Specifically,             should continue to\n         mitigating control for the           application.                 routinely use the                 scanner and\n                                                                           remediate any identified password weakness\n                                                                           vulnerabilities.\nCG-IT\xc2\xad   Until August 15, 2008, when corrective actions were               Through our test work, we determined that   X the                       Medium\n08-22    successfully implemented, password rules had not been             prior year control weaknesses was remediated\n         appropriately configured for the                                  prior to the fiscal year-end, therefore, no\n                 database. We noted that:                                  recommendation is required for this NFR.\n            \xef\xbf\xbd       does not require passwords to be a minimum of\n              eight characters;\n            \xef\xbf\xbd       does not require a combination of alphabetic,\n              numeric, and special characters;\n            \xef\xbf\xbd       does not restrict dictionary words;\n            \xef\xbf\xbd       does not restrict simple pattern passwords;\n            \xef\xbf\xbd       does not restrict dictionary words spelled\n\n\n                                                                          16\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                            Appendix B\n\n                                                      Department of Homeland Security\n\n                                                         United States Coast Guard\n\n                                                  Information Technology Management Letter\n                                                             September 30, 2008\n\n                                                                                                                                    New     Repeat    Risk\nNFR #                                 Condition                                              Recommendation\n                                                                                                                                    Issue    Issue   Rating*\n                 backwards;\n             \xef\xbf\xbd        does not restrict the use of proper names; and\n             \xef\xbf\xbd        does not restrict the use of the employee\xe2\x80\x99s user\n                 ID\n\nCG-IT\xc2\xad   Policies and procedures have not been developed and                 \xef\xbf\xbd   Develop procedures for the periodic review of                X      Medium\n08-23    implemented for the manual periodic review of         audit             the manual      audit logs in accordance with\n         logs. As a result,     audit logs are not periodically                  DHS policy.\n         reviewed.\n                                                                             \xef\xbf\xbd   Ensure that an entity independent of the\n                                                                                 personnel administering the        application\n                                                                                 reviews system audit trails on a regular basis\n                                                                                 as part of a more comprehensive continuous\n                                                                                 monitoring program.\n                                                                             \xef\xbf\xbd   Ensure audit log files are configured, retained,\n                                                                                 and archived in compliance with DHS policy.\nCG-IT\xc2\xad   We determined the following weaknesses associated with              \xef\xbf\xbd   Develop and implement procedures to   X require                     Medium\n08-25                                                                            a periodic review of all        accounts and\n         the                                                   change            their associated privileges. These procedures\n                                                                                 should include steps to verify that all\n         controls:                                                               terminated individuals no longer have active\n                                                                                 accounts, that inactive accounts are locked and\n                                                                                 that privileges associated with each individual\n         \xef\xbf\xbd       Procedures have been created and implemented for the\n                                                                                 are still authorized and necessary.\n                 quarterly review of developer and analyst roles.\n                 However, the procedures do not include the review of        \xef\xbf\xbd   Continue to reduce the number of tables that\n                 all other        user accounts to ensure that all               can be updated to ensure that each user has a\n                 terminated individuals no longer have active accounts,          business need to update each table.\n                 that inactive accounts are locked, and that privileges\n                 associated with each individual are still authorized and    \xef\xbf\xbd   Document a mapping between the\n                                                                                 flow roles and the associated database tables\n\n\n                                                                            17\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                             Appendix B\n\n                                                      Department of Homeland Security\n\n                                                         United States Coast Guard\n\n                                                  Information Technology Management Letter\n                                                             September 30, 2008\n\n                                                                                                                                     New     Repeat    Risk\nNFR #                                 Condition                                                Recommendation\n                                                                                                                                     Issue    Issue   Rating*\n                 necessary.                                                        that are affected.\n         \xef\xbf\xbd       529 users have unlocked           database accounts with      \xef\xbf\xbd   Continue with plans to complete the\n                 access to the                        . Therefore, the                   database upgrade and configure the\n                 number of users with the                      role has                  password requirements to be in\n                 increased by 141 users from the 388 users noted during            compliance with DHS guidance.\n                 FY 2007. Additionally, a mapping of            flow roles\n                 within the         application to the tables that can be\n                 updated within the          database has not been\n                 created. Therefore, we are unable to perform an\n                 analysis of the       flow roles and the associated tables\n                 that are affected to determine whether access is\n                 appropriately restricted.\n         \xef\xbf\xbd   The password configurations for the                  and\n                                  profiles will not be updated to be in\n             compliance with DHS guidance until after the\n                                         database upgrade. Since no\n             improvements have been made in regards to the\n             password configuration, we determined that the\n             password configurations continue to not meet the\n             following DHS requirement of having a user password\n             contain at least one special character.\nCG-IT\xc2\xad   We noted that Coast Guard was unable to provide sufficient            \xef\xbf\xbd   Establish and enforce procedures to ensure                  X      Medium\n08-27    evidence of the following:                                                      access request forms are documented,\n                                                                                   approved, and provided to\n             -       access request forms are documented and                                     prior to establishing        user\n               approved;                                                           account.\n             -       user accounts are revalidated annually; and\n             -       access is revoked in a timely manner for                  \xef\xbf\xbd   Continue to develop and implement policy and\n               employees or contractors that have left Coast Guard or              procedures for re-validating       user\n               are reassigned to other duties.                                     accounts in order to meet the requirements of\n\n\n                                                                              18\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                 Department of Homeland Security\n\n                                                    United States Coast Guard\n\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                New     Repeat    Risk\nNFR #                            Condition                                              Recommendation\n                                                                                                                                Issue    Issue   Rating*\n                                                                            DHS Sensitive System Policy Directive\n                                                                            4300A.\n                                                                        \xef\xbf\xbd   Establish and enforce procedures to ensure\n                                                                                  access is revoked for employees or\n                                                                            contractors who leave the Coast Guard or are\n                                                                            reassigned to other duties in order to meet the\n                                                                            requirements of DHS Sensitive System Policy\n                                                                            Directive 4300A.\n\nCG-IT\xc2\xad   Coast Guard\xe2\x80\x99s controls over the scripting process remain       In order for management to assert to any financial                X       High\n08-31    ineffective. Weaknesses were noted in controls over script     statement line items, Coast Guard should:\n         implementation, approvals and testing, as well as active       \xef\xbf\xbd Continue to design, document, implement, and\n         script modification. In addition, Coast Guard has not               demonstrate the effectiveness of internal\n         maintained or developed a population of scripts run since           controls associated with the active (current\n         the inception of       in 2003 nor has it performed a               and future) scripts.\n         historical analysis of script impact on the cumulative\n         balances in permanent accounts of the financial statements.    \xef\xbf\xbd   Identify and evaluate the historical scripts (all\n         Specifically:                                                      those implemented prior to those identified in\n                                                                            recommendation 1 above) to determine the\n           \xef\xbf\xbd Coast Guard lacks a formal process to distinguish              financial statement impact on cumulative\n              between the module lead approvers for script approval         balances in permanent accounts; and develop\n              requests;                                                     and maintain supporting procedures related to\n           \xef\xbf\xbd The Procedures for Data Scripts do not specifically            each script.\n              state the testing and documentation requirements for\n              blanket approval scripts and this policy remains in       With respect to procedures already in place, Coast\n              draft form;                                               Guard should:\n           \xef\xbf\xbd Coast Guard does not monitor scripts run in the            \xef\xbf\xbd Continue to update script policies and\n              database through audit logging and has not developed         procedures to include clear guidance over\n              a technical solution to monitor who accesses the             module lead approvers, testing and\n              database through                  to run scripts or          documentation requirements, monitoring/audit\n                                                                           log reviews, and blanket approval\n\n\n                                                                       19\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                 Department of Homeland Security\n\n                                                    United States Coast Guard\n\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                              New     Repeat    Risk\nNFR #                            Condition                                            Recommendation\n                                                                                                                              Issue    Issue   Rating*\n             review what scripts are run;                                 requirements\n           \xef\xbf\xbd The                            does not consistently     \xef\xbf\xbd  Finalize and implement policies and\n             include all testing, approval, and implementation           procedures governing the script change control\n             documentation for all scripts; and                          process including completing records within\n           \xef\xbf\xbd Coast Guard has not completed          documentation        the                           for all executed\n             for all scripts executed since their implementation.        scripts and ensuring that all scripts are tested\n                                                                         in an appropriate test environment prior to\n                                                                         being put into production.\n                                                                      Regarding the actual scripts themselves, Coast\n                                                                      Guard should:\n                                                                      \xef\xbf\xbd Determine the root causes and specific\n                                                                         detailed actions necessary to correct the\n                                                                         conditions that resulted in scripts, for the total\n                                                                         population of scripts run at            in order\n                                                                         to develop system upgrades that would\n                                                                         eliminate the use of some of the scripts.\n                                                                      \xef\xbf\xbd   Continue efforts to complete an in-depth\n                                                                          analysis of active scripts, with the following\n                                                                          objectives:\n                                                                           o All changes to active scripts and new\n                                                                                scripts should be subject to an\n                                                                                appropriate software change control\n                                                                                process to include testing, reviews, and\n                                                                                approvals.\n                                                                           o All active scripts should be reviewed for\n                                                                                impact on financial statement balances.\nCG-IT\xc2\xad   Although Coast Guard                 has mandated the use    \xef\xbf\xbd   Finalize the procedure documentation and                      X      Medium\n08-32    of                                       to maintain and         communicate/distribute the procedures\n         track contracted personnel data, procedures surrounding\n\n\n                                                                     20\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n\n                                                  Department of Homeland Security\n\n                                                     United States Coast Guard\n\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                 New     Repeat    Risk\nNFR #                             Condition                                               Recommendation\n                                                                                                                                 Issue    Issue   Rating*\n         this process have not been formally documented. As a             \xef\xbf\xbd   Continuously monitor controls over          to\n         result, we were unable to determine the effectiveness of the         verify that contractor data within the system\n         controls in place for contractor tracking.                           remains current and accurate.\nCG-IT\xc2\xad   Coast Guard does not consistently notify system owners           \xef\xbf\xbd   Implement an automated process/system that         X                Medium\n08-33    that individuals are terminating from the Coast Guard so             will notify system owners of terminated\n         that system accounts can be updated timely.                          contractor, military, and civilian personnel.\n                                                                          \xef\xbf\xbd   Finalize and implement entity management\n                                                                              policies and procedures for verifying that\n                                                                              terminated user accounts have been\n                                                                              successfully removed.\nCG-IT\xc2\xad   All               are not being appropriately reviewed and       \xef\xbf\xbd   Reconfigure the        tool to not allow the       X                Medium\n08-34    approved by management prior to                                      automatic approval of               upon\n         development/deployment. In addition,            developers           creation.\n         and testers are not updating information in the       tool in\n         a timely manner.                                                 \xef\xbf\xbd   Enforce established change control policies\n                                                                              and procedures by reviewing and approving:\n                                                                              a) all software change requests prior to\n                                                                              developing the changes; b) test results; and c)\n                                                                              all test-developed changes prior to deploying\n                                                                              the changes into the production environment.\n                                                                          \xef\xbf\xbd   Ensure that the          development and test\n                                                                              staff adheres to the policies and procedures for\n                                                                              updating software change control information\n                                                                              within the         tool.\nCG-IT\xc2\xad   We noted that control weaknesses still exist within the          \xef\xbf\xbd            : Develop, implement, communicate,                  X       High\n08-35    design of          \xe2\x80\x99s Configuration Management policies              and enforce procedures regarding how\n         and procedures for       and      , as well as the                   changes are to be controlled, documented,\n         operating effectiveness of those controls. Our test work             tracked, and reviewed as these changes\n         over the design of the change controls covered both                  progress through testing and into production.\n         periods of the change control environment; however, our\n\n\n                                                                         21\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n\n                                                  Department of Homeland Security\n\n                                                     United States Coast Guard\n\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                 New     Repeat    Risk\nNFR #                             Condition                                                Recommendation\n                                                                                                                                 Issue    Issue   Rating*\n         testing of operating effectiveness covered only the period        \xef\xbf\xbd   Coast Guard                Develop,\n         of start of the fiscal year through March 2008, since no              implement, communicate, and enforce\n         changes were made to           and     from April through             procedures regarding how change control\n         the remainder of the fiscal year.                                     documentation will be maintained, reviewed,\n                                                                               and validated in accordance with DHS\n                                                                               Sensitive System Policy Directive 4300A.\nCG-IT\xc2\xad   Configuration management weaknesses continue to exist on          \xef\xbf\xbd   Implement the corrective actions for the                    X      Medium\n08-36    hosts supporting the                   applications and               recommendations listed within the NFR.\n         the underlying                             .\n                                                                           \xef\xbf\xbd   Continue to implement policies and\n         Note: Due to the nature of this testing, see the tables in the        procedures to ensure that the tested and\n         NFR for the specific conditions.                                      deployed software builds include required\n                                                                               software patches and have current, correct,\n                                                                               and compliant security configuration settings.\n\nCG-IT\xc2\xad   Security patch management weaknesses continue to exist            \xef\xbf\xbd   Implement the corrective actions for the                    X      Medium\n08-37    on hosts supporting the                    applications               recommendations listed within the NFR.\n         and\n                                                                           \xef\xbf\xbd   Continue to implement polices and procedures\n         Note: Due to the nature of this testing, see the tables in the        to ensure that the tested and deployed software\n         NFR for the specific conditions.                                      builds include required software patches and\n                                                                               have current, correct, and compliant security\n                                                                               configuration settings.\nCG-IT\xc2\xad   Although Coast Guard                   is in the process of       \xef\xbf\xbd                                        X\n                                                                               Perform initial background investigations   and                    Medium\n08-40    completing background investigations for all civilian                 re-investigations for civilian employees in\n         employees, this has not been completed. Additionally,                 accordance with position sensitivity\n         Coast Guard has set its position sensitivity designations to          designations at no less than the Moderate level\n         Low for the majority of its employees. However, DHS                   as required by DHS directives; and\n         requires position sensitivity designations no less than\n         Moderate which equates to a Minimum Background                    \xef\xbf\xbd   Conduct civilian background re-investigations\n         Investigation (MBI). Therefore, we determined that the                every ten (10) years, as required by DHS\n                                                                               directives, to ensure that each employee has a\n\n\n                                                                          22\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n\n                                                   Department of Homeland Security\n\n                                                      United States Coast Guard\n\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                                  New     Repeat    Risk\nNFR #                              Condition                                                 Recommendation\n                                                                                                                                  Issue    Issue   Rating*\n         conditions noted in prior year NFR CG-IT-07-40 have not                 favorably adjudicated and valid MBI.\n         been remediated.\n\nCG-IT\xc2\xad              has not completed the risk assessment for the            Finalize and implement the Certification and                   X          Low\n08-41                , and the                                   is still    Accreditation Package for the               in\n         in draft form.                                                      accordance with DHS and NIST guidance.\nCG-IT\xc2\xad   During prior financial statement audits dating back to FY           \xef\xbf\xbd Continue to implement, improve, and                          X       High\n08-42    2003, we noted that implementation and oversight of the                 monitor compliance with DHS, Coast\n         Coast Guard\xe2\x80\x99s information security policy and procedures                Guard, and Federal security policies and\n         was fragmented among the organizations responsible for                  procedures in the areas of:\n         operating various applications/systems. In FY 2008,                     - Change Controls\n         significant improvements have been made in some areas;              \xef\xbf\xbd Continue to improve and monitor\n         however, improvements are still warranted at the Coast                  compliance with DHS, Coast Guard, and\n         Guard data centers/locations that operate and process key               Federal security policies and procedures in\n         Coast Guard financial information. Improvements are                     the areas of:\n         needed especially in the areas of change control and to a               - Access Controls\n         lesser extent, access to data and programs. These two key               - Entity-wide Security Planning\n         areas were the subject of significant findings identified and           - Service Continuity\n         recommendations that were made during the audit.                        - Segregation of Duties\n                                                                                 - System Software\n         As a result of our audit test work and supported by all the             - Application Controls\n         IT NFRs issued during the current year, we determined that\n                                                                             \xef\xbf\xbd Develop and implement corrective action\n         Coast Guard is non-compliant with the Federal Financial\n                                                                                 plans to address and remediate the NFRs\n         Management Improvement Act.\n                                                                                 issued during the FY 2008 audit. These\n                                                                                 corrective action plans should be developed\n                                                                                 from the perspective of the identified root\n                                                                                 cause of the weakness. In addition, the IT\n                                                                                 NFRs should not be assessed as individual\n                                                                                 issues to fix, but instead, should be assessed\n                                                                                 collectively based upon the area where the\n                                                                                 weakness was identified. This approach\n\n\n                                                                            23\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n\n                                                      Department of Homeland Security\n\n                                                         United States Coast Guard\n\n                                                  Information Technology Management Letter\n                                                             September 30, 2008\n\n                                                                                                                                  New     Repeat    Risk\n     NFR #                            Condition                                              Recommendation\n                                                                                                                                  Issue    Issue   Rating*\n                                                                                 would enable a corrective action that would\n                                                                                 be more holistic in nature, thereby leading to\n                                                                                 a more efficient and effective process of\n                                                                                 fixing those controls which are not operating\n                                                                                 effectively.\n     CG-IT\xc2\xad   During our testwork over        and      access accounts,      \xef\xbf\xbd   Implement and document the                        X               Medium\n     08-43    we noted that controls over user account authorizations and                              (      ) user access\n              controls over user account reviews were not operating              review procedures to include all        access\n              effectively.                                                       privileges and include supervisors in each\n                                                                                 review.\n                                                                             \xef\xbf\xbd   Update procedures to ensure that a\n                                                                                 documented and approved access\n                                                                                 authorization request is completed for each\n                                                                                 individual prior to granting him/her access to\n                                                                                 the      and        applications or databases.\n\n* Risk ratings are only intended to assist management in prioritizing corrective actions. Risk ratings in this context do not correlate to\ndefinitions of control deficiencies as identified by the AICPA.\n\n\n\n\n                                                                            24\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                               Appendix C\n                           Department of Homeland Security\n\n                              United States Coast Guard\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                    Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations And \n\n                          Comparison To \n\n       Current Year Notices of Findings and Recommendations \n\n\n\n\n\n                                           25\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                                                                                            Appendix C\n                                   Department of Homeland Security\n                                      United States Coast Guard\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n\n\n\n                                                                                                         Disposition\nComponent    NFR #                                 Description                                     Closed       Repeat\n\nCG          07-01               has replaced the Disaster Recovery Business Continuity                          08-01\n                      concept with the development of a Continuity of Operations Plan\n                      (COOP) which addresses disaster recovery, business continuity and\n                      continuity of government. However, the COOP is in draft form and\n                      has not yet been tested and the Memorandum of Understanding with\n                      the      for reciprocal services is still in draft form as well.\n\nCG          07-02     The             change control policy does not detail requirements for         X\n                      requesting, testing, and approving changes. Furthermore, there are\n                      no formalized requirements pertaining to retention of supporting\n                      documentation and the roles and responsibilities of\n                      personnel in the process. Additionally, the policy does not\n                      adequately reflect the            environment and change control\n                      process that was utilized during the            upgrade performed\n                      during FY07. Examples of inconsistencies include the references to\n                      service packs, data fixes, and the testing procedures completed.\n\nCG          07-03     The         system does not meet DHS password complexity                       X\n                      requirements, and the        system is not scheduled for\n                      decommissioning until December 2007.\n\nCG          07-04     We identified the following account terminations weaknesses at                 X\n                          :\n\n                      \xef\xbf\xbd From October 1, 2006 through July 24, 2007,        had not yet\n                        implemented policies and procedures for use in managing\n                        terminations, including the use of the Outgoing Personnel Form.\n\n                      \xef\xbf\xbd Outgoing Personnel Forms were not completed for one of five\n                        individuals selected for testing.\n\n                      \xef\xbf\xbd One terminated individual remained active within           until 90\n                        days after his last logon before his account was revoked as part of\n                        the          account review process.\n\n                      \xef\xbf\xbd The account of a second terminated individual remains active\n                        within the system, although it has been configured to automatically\n                        log out the terminated individual if he attempts to login. Although\n                        this is a low risk issue, the existence of this account still presents a\n\n\n\n                                                            26\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                         Appendix C\n                                   Department of Homeland Security\n                                      United States Coast Guard\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n                                                                                                      Disposition\nComponent    NFR #                                 Description                                  Closed       Repeat\n\n                        potential risk to the         data.\n\nCG          07-05     Policies and procedures regarding requesting, authorizing, testing,         X\n                      and approving operating system changes are not consistently\n                      followed. Additionally, a testing baseline standard has not been\n                      established to ensure that operating system changes have not\n                      adversely affected portions of the system that were not intended to be\n                      affected. Lastly,      was unable to reconcile changes to the\n                      operating system to a listing of authorized operating system changes\n                      to ensure that all changes have been appropriately approved.\n\nCG          07-06     The contract Coast Guard                 has with the       and                        08-06\n                      software vendor does not include security configuration requirements\n                      that must be adhered to during the configuration management\n                      process. Consequently,        and       builds and maintenance packs\n                      may not be configured and implemented with comprehensive security\n                      configuration requirements. CG recognizes the absence of security\n                      requirements and indicated that the contract with the vendor will be\n                      reassessed in 2008 during the contract renewal process with Coast\n                      Guard                and corrective actions will be taken at that time.\n\nCG          07-07          has not implemented the following password requirements:                          08-07\n\n                      \xef\xbf\xbd Passwords shall contain special characters\n\n                      \xef\xbf\xbd Passwords shall not contain any dictionary word\n\n                      \xef\xbf\xbd\t Passwords shall not contain any proper noun or name of any\n                        person, pet, child, or fictional character\n\n                      \xef\xbf\xbd\t Passwords shall not contain any employee serial number, social\n                        security number, birth date, phone number, or any information that\n                        could be readily guessed about the creator of the password\n\n                      \xef\xbf\xbd\t Passwords shall not contain any simple pattern of letters or\n                        numbers, such as qwerty or xyz123\n\n                      \xef\xbf\xbd\t Passwords shall not be any word, noun, or name spelled backwards\n                        or appended with a single digit or with a two digit year string, such\n                        as 98xyz123\n\n                      \xef\xbf\xbd Passwords shall not be the same as the User ID\n\n\n\n                                                          27\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                         Appendix C\n                                   Department of Homeland Security\n                                      United States Coast Guard\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n                                                                                                      Disposition\nComponent    NFR #                                Description                                   Closed       Repeat\n\nCG          07-08     Two generic accounts have access to            and                .         X\n                      Additionally, we determined that the                and\n                                    settings were not enabled. Furthermore, four accounts\n                      assigned to     personnel had both            and\n                      two of which were system programmers.\n\nCG          07-09     Every individual with access to the            data center has not          X\n                      completed the required emergency response training. Additionally,\n                      four employees were identified with 24 hour access to the data center\n                      that had not completed the training as of July 2007. Lastly, the\n                      security guards, with unrestricted access to the data center, have not\n                      yet been required to complete the training.\n\nCG          07-10     No formal procedures have been developed or implemented by Coast                       08-10\n                      Guard                 to address DHS requirements surrounding the\n                      suitability screening of contractors accessing DHS IT systems. DHS\n                      directives and policies require Coast Guard and other DHS\n                      components to ensure the completion of background investigations\n                      for all contractors accessing IT systems. The type of background\n                      investigation should be based on the risk level of the job position at\n                      Coast Guard and should be completed prior to the start of work.\n                      However, no Coast Guard guidance exists to require Coast Guard\n                      components to clear their contractors for suitability, especially those\n                      with sensitive IT positions.\n\nCG          07-11 \n   Session lockout times need to be changed from 40 to 20 minutes to           X\n                      meet DHS requirements.\n\nCG          07-12 \n   The                        Disaster Recovery Plan has not been              X\n                      tested, and we were unable to obtain a finalized Memorandum of\n                      Understanding between        and Telecommunications and\n                      Information Systems Command.\n\nCG          07-13 \n          is not consistently following the System Development Lifecycle       X\n                      for all          application changes. For four system change\n                      proposals and their associated sub-tasks, supporting documentation\n                      (i.e., evidence of testing, peer reviewer, approvals, evidence of joint\n                      application design meetings and business sponsor approvals) was not\n                      available.\n\nCG          07-14     Lack\n of criteria for defining personnel with significant IT                           08-14\n                      responsibilities within the Coast Guard IT Security Awareness,\n                      Training and Education Plan. Additionally, the personnel that are\n                      defined in the guidance are very limited and do not fully cover the\n\n\n\n                                                         28\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                         Appendix C\n                                     Department of Homeland Security\n                                        United States Coast Guard\n                                 Information Technology Management Letter\n                                            September 30, 2008\n\n                                                                                                      Disposition\nComponent    NFR #                                   Description                                Closed       Repeat\n\n                      scope of security responsibilities addressed in DHS requirements.\n\nCG          07-15     The         application database (        ) is using       version                     08-15\n                              , which is no longer supported by the vendor. Additionally,\n                      an account on the        database has a password the same as\n                      account name (              ). The database also has a directory\n                      manipulation vulnerability in the binary file        .\n\nCG          07-16           has developed and implemented policies and procedures that            X\n                      address the review of inactive         accounts and lock those that\n                      have been inactive for 90 days. However, DHS guidance requires\n                      that inactive accounts be locked after 30 days.\n\nCG          07-17                  access control weaknesses were noted:                                     08-17\n\n                      \xef\xbf\xbd Passwords shall contain special characters\n\n                      \xef\xbf\xbd Passwords shall not contain any dictionary word\n\n                      \xef\xbf\xbd\t Passwords shall not contain any proper noun or name of any\n                        person, pet, child, or fictional character\n\n                      \xef\xbf\xbd\t Passwords shall not contain any employee serial number, social\n                        security number, birth date, phone number, or any information that\n                        could be readily guessed about the creator of the password\n\n                      \xef\xbf\xbd\t Passwords shall not contain any simple pattern of letters or\n                        numbers, such as qwerty or xyz123\n\n                      \xef\xbf\xbd\t Passwords shall not be any word, noun, or name spelled backwards\n                        or appended with a single digit or with a two digit year string, such\n                        as 98xyz123\n\nCG          07-18            access control weaknesses were noted:                                X\n\n                       \xef\xbf\xbd Passwords shall contain special characters\n\n                       \xef\xbf\xbd Passwords shall not contain any dictionary word\n\n                       \xef\xbf\xbd\t Passwords shall not contain any proper noun or name of any\n                            person, pet, child, or fictional character\n\n                       \xef\xbf\xbd Passwords shall not contain any employee serial number, social\n\n\n                                                            29\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                        Appendix C\n                                     Department of Homeland Security\n                                        United States Coast Guard\n                                 Information Technology Management Letter\n                                            September 30, 2008\n\n                                                                                                     Disposition\nComponent    NFR #                                 Description                                 Closed       Repeat\n\n                           security number, birth date, phone number, or any information\n                           that could be readily guessed about the creator of the password\n\n                       \xef\xbf\xbd Passwords shall not contain any simple pattern of letters or\n                           numbers, such as qwerty or xyz123\n\n                       \xef\xbf\xbd Passwords shall not be any word, noun, or name spelled\n                           backwards or appended with a single digit or with a two digit\n                           year string, such as 98xyz123\n\n                       \xef\xbf\xbd        accounts of terminated individuals are not removed in a\n                           timely manner, including one individual who had user account\n                           management capabilities within the system. Additionally,\n                           application and database accounts are not being reviewed for\n                           appropriateness.\n\nCG          07-19          access control weaknesses were noted:                                 X\n\n                       \xef\xbf\xbd\t Documented access request forms could not be located for two\n                           new       users granted access to the application.\n\n                       \xef\xbf\xbd        accounts are not immediately disabled upon an employee\xe2\x80\x99s\n                           termination.\n\n                       \xef\xbf\xbd\t Procedures have not been developed to require periodic account\n                           reviews to be performed to ensure that all users and their\n                           associated privileges are appropriate.\n\n                       \xef\xbf\xbd         has not been configured to track and deactivate accounts\n                           that have not been used in 30 days.\n\n                       \xef\xbf\xbd\t An excessive number of individuals have user administrator\n                           capabilities within    until the implementation of the\n                           centralized user management (August 19, 2007).\n\n                       \xef\xbf\xbd\t Password configuration is not in compliance with DHS guidance.\n\nCG          07-20     The periodic review of                  accounts only covers 1% of all     X\n                      user accounts with roles greater than              and that have been\n                      modified within the last 90 days. The population that is validated\n                      during this                        review was found to be insufficient\n                      as the user population of the system is approximately 60,000 user\n\n\n\n\n                                                          30\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                        Appendix C\n                                   Department of Homeland Security\n                                      United States Coast Guard\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n                                                                                                     Disposition\nComponent    NFR #                                Description                                  Closed       Repeat\n\n                      accounts.\n\nCG          07-21     The procedures for the periodic review of          user accounts does      X\n                      not require a review of all active user accounts and privileges to be\n                      performed and validated.\n\nCG          07-22     Password configuration weaknesses associated with the                                 08-22\n                      application. Also, the       application is configured to terminate\n                      idle sessions after 30 minutes of inactivity instead of 20 minutes.\n\nCG          07-23     While audit logging has been turned on for the        database,                       08-23\n                      reviews of actions being taken on that database are still not being\n                      performed.\n\nCG          07-24     Policies and procedures regarding        data used for the Coast           X\n                      Guard environmental liability report on the DHS Consolidated\n                      balance sheet have been developed but are currently in draft form and\n                      have not been implemented.\n\nCG          07-25     The following access control weaknesses were identified within                        08-25\n                            :\n\n                       \xef\xbf\xbd\t Excessive access exists within the         database;\n\n                       \xef\xbf\xbd\t Password configurations for the                       and\n                                                 profiles have been configured to permit\n                          passwords to be a minimum of six characters in length.\n                          Additionally, the password history requirement is the only\n                          password requirement that has been configured for the\n                                        profile.\n\n                       \xef\xbf\xbd\t Audit logging has not been enabled within the          application\n                          or database.\n\n                       \xef\xbf\xbd\t Documented access request forms could not be located for nine\n                          out of 22 new         users granted access to the application.\n                          Additionally, although the automated access request forms for\n                          the other 13 out of 22 new        users granted access to the\n                          application were approved, the level of access/privileges\n                          associated with the new user were not documented on the access\n                          request form.\n\n                       \xef\xbf\xbd\t Individuals who are no longer employed with              were\n\n\n\n                                                         31\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                          Appendix C\n                                    Department of Homeland Security\n                                       United States Coast Guard\n                                Information Technology Management Letter\n                                           September 30, 2008\n\n                                                                                                       Disposition\nComponent    NFR #                                 Description                                   Closed       Repeat\n\n                           found to have active accounts within        .\n\n                       \xef\xbf\xbd            account reviews have not been performed on a periodic\n                           basis.\n\nCG          07-26          has been configured to automatically end date accounts that             X\n                      have been inactive for six months. However, DHS requirements\n                      require accounts to be disabled after 30 days of inactivity.\n\nCG          07-27     Accounts within         that have been inactive for more than 90 days                   08-27\n                      have not been disabled, access request authorization forms were\n                      unavailable for 19 of the 30 individuals who had accounts created\n                      during FY07, a recertification of       accounts is not performed,\n                      and terminated employees are not deactivated in a timely manner.\n\nCG          07-28     From the sample selected, a developer had elevated production                X\n                      privileges in     . Also, two procedures/packages\n                                                                 were added to\n                                                               privileges.\n\nCG          07-29     The individual who enters an applicant's data into the                 NFR transferred to Audit\n                             also has the ability to hire the applicant in the system        Team. See Financial\n                                                                                             NFR 08-32.\nCG          07-30                 functional change control policies and procedures did not     X\n                      reflect the change control process for the            changes and did\n                      not adequately detail guidance for the change control process.\n                      Specifically, the policy does not include requirements for requesting,\n                      testing, and approving changes prior to implementing the functional\n                      change into the             production environment.\n\nCG          07-31     Coast Guard has only eliminated a small number of the scripts used                      08-31\n                      on a consistent basis and is projecting that this approach will continue\n                      into the delivery of          and beyond. Additionally, we noted that\n                      as of April 27, 2007, 240 scripts were run during a week long period.\n                      The number and type of scripts that are executed during any one\n                      period in time varies from week to week depending on the issues\n                      encountered. Of the 240 scripts noted during this particular week,\n                      several were run numerous times for the same software gap.\n                      Consequently,            has not fully integrated the two change\n                      control processes or eliminated the need for the scripts.\n\nCG          07-32     Coast Guard does not maintain a centralized listing of contracted                       08-32\n                      personnel, including employment status, such as start date and\n\n\n\n\n                                                          32\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                        Appendix C\n                                   Department of Homeland Security\n                                      United States Coast Guard\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n                                                                                                     Disposition\nComponent    NFR #                                Description                                  Closed       Repeat\n\n                      termination date, so that system accounts can be timely updated.\n\nCG          07-33     Coast Guard does not consistently notify system owners that                           08-33\n                      individuals are terminating from the Coast Guard so that system\n                      accounts can be updated timely.\n\nCG          07-34               is not consistently implementing policies and procedures                    08-34\n                      regarding the         change control process. Specifically, supporting\n                      documentation is not maintained for all changes and emergency\n                      changes. Additionally, changes may be approved prior to the change\n                      being tested and passing the test.\n\nCG          07-35     Policies and procedures for the overall change control process                        08-35\n                      surrounding       and       changes and emergency changes are\n                      inadequate. Specifically, the policies and procedures do not fully\n                      include guidance for the roles and responsibilities          possesses\n                      in the change control process. Additionally, they do not include\n                      detailed requirements and guidance on requesting changes, initial\n                      approvals,          testing, final approvals and documentation\n                      retention requirements for changes made to the system.\n\nCG          07-36     Configuration management weaknesses exist on hosts supporting the                     08-36\n                          ,     , and     applications and     .\n\nCG          07-37     Patch management weaknesses exist on hosts supporting the          ,                  08-37\n                          , and     applications and     .\n\nCG          07-38     Coast Guard\xe2\x80\x99s                                                   )          X\n                      program changes are implemented in production prior to approval\n                      from the Financial Reports & Analysis Branch Chief or the Financial\n                      Control & Information Division Chief as required by           policy\n                      and procedures. Additionally, systems personnel move program\n                      changes into production without signing off on the Request Change\n                      to      Database form as required by the            procedures.\n\nCG          07-39     Coast Guard has not completed the process of filing the background         X\n                      investigation records that were recovered and recreating the records\n                      that were not found during the migration of records from the\n                      Department of Transportation to DHS.\n\nCG          07-40     Civilian background investigations and reinvestigations are not being                 08-40\n                      performed in accordance with DHS Minimum Background\n                      Investigation standards per DHS Sensitive System Policy Directive\n\n\n\n\n                                                        33\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                                                           Appendix C\n                                   Department of Homeland Security\n                                      United States Coast Guard\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n                                                                                                      Disposition\nComponent    NFR #                                 Description                                    Closed     Repeat\n\n                      4300A.\n\nCG          07-41     Per review of the         Certification and Accreditation (C&A)                         08-41\n                      package, we noted that system boundary definitions do not fully\n                      reflect the systems environment in which Coast Guard operates,\n                      C&A does not reflect system changes made in the                 upgrade,\n                      and              is classified by Coast Guard as a subsystem of        ,\n                      however, there is no documentation within the\n                                   that defines             as a subsystem and addresses the\n                      appropriate security controls for              in this capacity according\n                      to NIST requirements for subsystems\n\nCG          07-42     Coast Guard is not compliant with the Federal Financial                                 08-42\n                      Management Improvement Act from an information technology\n                      perspective and in the following areas:\n\n                      \xef\xbf\xbd Computer Security Act Requirements, including aspects of the\n                          Federal Information Security Management Act\n\n                      \xef\xbf\xbd System Documentation\n\n                      \xef\xbf\xbd Internal Controls\n\n                      \xef\xbf\xbd Training and User Support\n\n                      \xef\xbf\xbd System Maintenance\n\n                      \xef\xbf\xbd System Information Flow\n\n\n\n\n                                                          34\n     Information Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                                    Financial Statement Audit \n\n\x0c                                                                               Appendix D\n                           Department of Homeland Security\n\n                              United States Coast Guard\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                    Appendix D \n\n\n\n                            Management Comments \n\n\n\n\n\n                                           35\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS\n                               Financial Statement Audit\n\x0c                                                                                Appendix D\n                            Department of Homeland Security\n                               United States Coast Guard\n                        Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                           36\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                               Financial Statement Audit \n\n\x0c                                                                                Appendix D\n                            Department of Homeland Security\n\n                               United States Coast Guard\n\n                        Information Technology Management Letter\n                                   September 30, 2008\n\n\n                  Report Distribution\n\n                  Department of Homeland Security\n\n                  Secretary\n                  Acting Deputy Secretary\n                  Chief of Staff for Operations\n                  Chief of Staff for Policy\n                  Acting General Counsel\n                  Executive Secretariat\n                  Under Secretary, Management\n                  Acting Assistant Commissioner, USCG\n                  DHS Chief Information Officer\n                  DHS Chief Financial Officer\n                  Chief Financial Officer, USCG\n                  Chief Information Officer, USCG\n                  DHS Chief Information Security Officer\n                  Assistant Secretary for Policy\n                  Assistant Secretary for Public Affairs\n                  Assistant Secretary for Office of Legislative Affairs\n                  DHS GAO OIG Audit Liaison\n                  Chief Information Officer, Audit Liaison\n                  USCG Audit Liaison\n\n                  Office of Management and Budget\n\n                  Chief, Homeland Security Branch\n                  DHS OIG Budget Examiner\n\n                  Congress\n\n                  Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                             37\nInformation Technology Management Letter for the Coast Guard Component of the FY 2008 DHS \n\n                               Financial Statement Audit \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"